mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-11-13 08:48:41 +00:00
d3abcb90e3
The new logic is as follows: * Given a URL to insert into url(), check that it is properly URL encoded (in particular, a doublequote and backslash never occurs within it) and then place it as url("http://example.com"). * Given a font name, if it is strictly alphanumeric, it is safe to omit quotes. Otherwise, wrap in double quotes and replace '"' with '\22 ' (note trailing space) and '\' with '\5C ' (ditto). We introduce expandCSSEscape() which is a hack for common parsing idioms in CSS; this means that CSS escapes are now recognized inside URLs as well as unquoted font names. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
73 lines
2.4 KiB
PHP
73 lines
2.4 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Validates a font family list according to CSS spec
|
|
* @todo whitelisting allowed fonts would be nice
|
|
*/
|
|
class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
|
|
{
|
|
|
|
public function validate($string, $config, $context) {
|
|
static $generic_names = array(
|
|
'serif' => true,
|
|
'sans-serif' => true,
|
|
'monospace' => true,
|
|
'fantasy' => true,
|
|
'cursive' => true
|
|
);
|
|
|
|
// assume that no font names contain commas in them
|
|
$fonts = explode(',', $string);
|
|
$final = '';
|
|
foreach($fonts as $font) {
|
|
$font = trim($font);
|
|
if ($font === '') continue;
|
|
// match a generic name
|
|
if (isset($generic_names[$font])) {
|
|
$final .= $font . ', ';
|
|
continue;
|
|
}
|
|
// match a quoted name
|
|
if ($font[0] === '"' || $font[0] === "'") {
|
|
$length = strlen($font);
|
|
if ($length <= 2) continue;
|
|
$quote = $font[0];
|
|
if ($font[$length - 1] !== $quote) continue;
|
|
$font = substr($font, 1, $length - 2);
|
|
}
|
|
|
|
$font = $this->expandCSSEscape($font);
|
|
|
|
// $font is a pure representation of the font name
|
|
|
|
if (ctype_alnum($font) && $font !== '') {
|
|
// very simple font, allow it in unharmed
|
|
$final .= $font . ', ';
|
|
continue;
|
|
}
|
|
|
|
// bugger out on whitespace. form feed (0C) really
|
|
// shouldn't show up regardless
|
|
$font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
|
|
|
|
// These ugly transforms don't pose a security
|
|
// risk (as \\ and \" might). We could try to be clever and
|
|
// use single-quote wrapping when there is a double quote
|
|
// present, but I have choosen not to implement that.
|
|
// (warning: this code relies on the selection of quotation
|
|
// mark below)
|
|
$font = str_replace('\\', '\\5C ', $font);
|
|
$font = str_replace('"', '\\22 ', $font);
|
|
|
|
// complicated font, requires quoting
|
|
$final .= "\"$font\", "; // note that this will later get turned into "
|
|
}
|
|
$final = rtrim($final, ', ');
|
|
if ($final === '') return false;
|
|
return $final;
|
|
}
|
|
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|